Security Identifier Randomization: A Method To Prevent Kernel Privilege-Escalation Attacks

Privilege escalation attack is one of the serious threats to Linux. So the protection of the root user is an important requirement for Linux systems and SELinux has tackled this issue in some degree. But by exploiting kernel privilege-escalation vulnerabilities, the attackers can tamper security identifiers allocated for the process's security contexts, which are the foundation of SELinux enforcing access control. So we propose security identifier randomization method, which can increase the difficulty of kernel privilege-escalation attacks. This method is application transparent and its influence on overall system performance is within 1%.